Frankly, the whole thing seems like a pretty big stretch. At issue, is the fact that Google search results URLs include the query data, and that's then included in the referral URL, allowing websites to know what people were searching on that got them to click on the website. This is, of course, how pretty much all search engines work, and websites have always used that data to analyze how people are getting to their sites. But Soghoian argues -- correctly -- that there can be personal info included in a query string, and that while Google does offer some tools to let you avoid passing on the query string, they're not that easy to find. He also suggests that Google could just provide aggregate data, rather than each query string.

While I'm pretty big in supporting privacy issues... I have to say that I really don't see this as a big issue. Soghoian tries to use examples of where query strings revealed private info, but those are in cases where the query string was revealed to other third parties who had nothing to do with the transaction in question. But providing that data directly to the site that was clicked? It's hard to see how there's a problem there. Soghoian does point out that Google does mask the query string on URL clicks that come from Gmail accounts, but that's an entirely different situation, because then you're searching through private data. When doing a websearch on public data, and providing it only to a party who is involved in the event, seems totally reasonable. There are plenty of legitimate privacy issues out there. It seems silly to focus on one that seems so inconsequential.